The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.) Moti Yung (Columbia Univ.)
Outline of the Talk Brief Overview of Key Evolving Signatures –Forward-Secure Signatures (FS) –Key-Insulated Signatures (KI) –Intrusion-Resilient Signatures (IR) Security Hierarchy of Key Evolving Sigs. IR KI FS Formal Definition of Proxy Signatures Characterization of Proxy Signatures Proxy KI
The Hierarchy of Key Evolving Signatures
Key Evolving Signatures Localize damage of secret key exposure –Splitting time into periods: 0,1,…,T –Updating secret (signing) key for each period without changing public (verification) key Several models exist (for different settings and different security goals) –Forward-Secure Signatures (FS) [And97,BM99] –Key-Insulated Signatures (KI) [DKXY02] –Intrusion-Resilient Signatures (IR) [IR02]
SK 0 SK j-1 Signer Forward-Secure Signatures Gen 1 k,T UpdSign PK SK j-1 SK j M Vrfy Accept Reject
Security of FS Signature The adversary has access to –The signing oracle O sig (M,i) outputs the valid signature for the message M in the time period i –The key exposure oracle O sec (“s”, j) outputs the secret key SK j of the time period j The adversary successfully breaks the scheme if it outputs (M, ) s.t. – (M,i) is never queried to the signing oracle – (“s”, i ’ ) is never queried to the key exposure oracle such that i ’ < i
SK 0 SK i Key-Insulated Signatures Signer Gen 1 k,T Upd SK i SK j SK * Base Upd* PK Sign Vrfy M Securely protected SK ’ i,j i, j KI possesses random access key capability
Security of KI Signature The adversary has access to –The signing oracle O sig (M,i) outputs the valid signature for the message M in the time period i –The key exposure oracle O sec (“s”, j) outputs the secret key SK j of the time period j The adversary successfully breaks the scheme if it outputs (M, ) s.t. –(M,i) is never queried to the signing oracle –(“s”,i) is never queried to the key exposure oracle
SKS 0.0 SKB 0.0 SKB (j-1).r SKS (j-1).r Intrusion-Resilient Signatures Signer Gen 1 k,T Upd Sign SKS j.r Vrfy Base Upd* PK Refr*Refr SKR j.r SKB j.r NOT protected SKS (j-1).r SKB (j-1).r SKU j-1 SKB j.0 SKS j.0 SKB j.r SKS j.r SKB j.(r+1) SKS j.(r+1) SKS j.r SKB j.r M
Security of IR Signature The adversary has access to –The signing oracle O sig (M,i.r) outputs Sign (SKS i,r, M) –The key exposure oracle O sec ( query ) outputs SKS j,r if query =(“s”, j.r) SKB j.r if query =(“b”, j.r) SKU j and SKR j+1.0 if query =(“u”, j) SKR j.r if query =(“r”, j.r) The adversary successfully breaks the scheme if it outputs (M, ) s.t. – (M,i) is never queried to the signing oracle – SKS i,r is not exposed by the oracle calls – No SKS i ’.r ’ and SKB i ’.r ’ are exposed by the oracle calls for any i ’ <i
Question: Are there any relations among these “similar” models? Answer: Security hierarchy exists among these models! IR KI FS Further, all the security reductions are tight (via concrete security analysis) Yes!
Theorem (IR KI) We can construct KI from IR in such a way that if there exists adversary which breaks KI (constructed from IR) then we can construct adversary which breaks IR where : running time of the adversary : success probability of the adversary : number of queries to signing oracle : number of queries to key exposure oracle
Constructing KI from IR ( Gen ) Signer Gen 1k1k UpdSign Vrfy Base Upd* Gen(IR) 1k1k SKB 0.0 SKS 0.0 PK Refr(IR)Refr*(IR) SK * = SK 0 = SKS 0.1 PK = PK(IR)
SKB 0.1 SKS 0.1 SKB 1.0 SKS 1.0 SKS 1.1 Constructing KI from IR ( Upd* ) Signer UpdSign SK i Base Refr*(IR) SK * = Refr(IR) Upd(IR)Upd*(IR) Upd* i, j SK ’ i,j =SKS j.1 SKS 2.0 SKS 2.1 SKS 3.0 SKS 3.1 SKS j.0 SKS j.1 SKB 1.1 SKB 2.0 SKB 2.1 SKB 3.0 SKB 3.1 SKB j.0 SKB j.1 Random access to the key can be achieved
Constructing KI from IR (cont’d) Base Upd SK * Signer SK i = SKS i.1 UpdSignVrfy SK ’ i,j =SKS j.1 Sign(IR) Vrfy(IR) PK = PK(IR) M Accept Reject SK j = SKS j.1
Constructing Oracles Oracles for KI can be also constructed from oracles for IR as follows –O sig (M, j) = O sig (M, j.1) –O sec (“s”, j) = O sec (“s”, j.1) It is easy to see if the adversary successfully breaks KI then the adversary also breaks IR with the same output.
Other relations KI IR: IR can be constructed from KI by sharing signer keys of KI between the signer and the base of IR IR FS: Straightforward (All the algorithms of the signer and the base are put into the signer of FS) Both reductions are tight (in the sense of no security loss in the reductions)
A Characterization of Proxy Signatures
Proxy Signatures Method of giving (partial) signing right of an entity (delegator) to the others (proxy signer) A lot of schemes have been proposed so far but a few of them are proven to be secure No formal model exists (except [BPW03] which gives a formal model for one-level delegation)
Our Results on Proxy Signatures Formal model for “fully hierarchical” proxy signature (based on [BPW03]) Characterization of proxy signatures via key evolving signature: Proxy KI
Model of Proxy Signatures Proxy Signer Gen 1k1k PSig Sign Vrfy Delegator Dlg D Dlg P SK D PK D PVrf M sig accept reject w SKP D>P W M ps accept reject SK P PK P
Multi-Level Delegation Proxy Signer PSig Delegator Dlg D Dlg P SK P PK P w D>P SKP I>D>P W I>D>P SKP I>D W I>D If the delegator wants to delegate the signing right which she is delegated from others PK
Self Delegation Proxy SignerDelegator Dlg D Dlg P SK D PK D w D>P If the delegator wants to delegate the signing right to herself (possibly to an insecure device) SK D Secret key of the delegator is not inputted in the case of self delegation
Security def. of Proxy Signatures The adversary has access to –Signing Oracle O sig –Key exposure Oracle O sec –Delegation Oracle O Dlg interacts with the adversary on behalf of Dlg D or Dlg P Proxy signature is secure if the adversary cannot forge a proxy signature (non-proxy signature) when the adversary cannot compute the proxy signing key and the warrant (signing key) through the queries to the oracles
Proxy Sigs. and Key Evolving Sigs. Some similarities exist –Localize the damage of key exposure –Prevent non-delegated users (who knows its signing key) from forging the proxy signature –Key is evolved for “each time period” –Proxy signing key is generated for “each delegation” Characterization of Proxy Signatures via Key Evolving Signatures (Equivalence between KI and Proxy)
Theorem (Proxy KI) We can construct KI from Proxy in such a way that if there exists adversary which breaks KI (constructed from Proxy) then we can construct adversary which breaks Proxy s.t. where : running time of the adversary : success probability of the adversary : number of queries to oracle A
Theorem (KI Proxy) We can construct Proxy (with n delegator and the number of self delegation is limited to c ) from KI in such a way that if there exists adversary which breaks Proxy (constructed from KI) then we can construct adversary which breaks KI s.t.
Conclusion Security Hierarchy of Key Evolving Signatures. IR KI FS Formal Definition of Fully Hierarchical Proxy Signatures Characterization of Proxy Signatures Proxy KI
Thank you!
Difference among the models Base Key Evolution Security FS sequentialPast signatures are protected KI Secure Random access is possible Signatures of all the uncorrupted time periods are protected IR Insecuresequential Signatures of all the uncorrupted time periods are protected Forward Security can be assured even if signer key and base key are corrupted simultaneously